Hello Douglas,
For the moment, instead of setting up samba server, we will be collecting unencrypted network trace, Time travel trace of lsass.exe process from the windows domain controller for investigation. You should have received an e-mail from “CTS automated diagnostics Service” ctsadiag at microsoft.com with the details of the workspace to exchange data/tools with us.
Please download TTT_x86_x64_External.zip from the workspace created for you.
Assuming your Windows 2012+ AD is X64, extract and place the "X64" folder from the zip file somewhere on C:\drive to collect X64 time travel trace. Otherwise you will use "X86" folder from the zip file.
Basically we will be collecting network trace to view over the wire LDAP request and Time travel trace of lsass process from the windows DC to see how the search/sorting actually executed for investigation.
Since you are familiar with network trace collection, I will just state the basic procedure for collecting time travel trace.
Open Task manager on the domain controller , go to details tab, find the process lsass.exe and note PID number i.e. process ID.
Launch a command prompt with **admin** privilege and move to the folder where you've placed TTT tool (i.e. X64 or X86 folder as appropriate).
Execute TTTracer.exe -dumpFull -attach <pid_number_of_lsass>
Wait for a minute or two until you see a small dialog with a check box "Tracing on" checked. i.e. it shows your lsass.exe process being traced.
Start network trace capture.
Now reproduce your issue.
Stop network trace capture.
Uncheck the "tracing on" check box to stop tracing. It should create two files named lsass01.run and lsass01.out.
Upload the network trace, time travel trace i.e. lsass01.run, lsass01.out.
PS: Please keep traffic on your test AD to absolute minimum as these traces grow very quickly and also to avoid noise. Also ensure that the LDAP Requests are not encrypted.
Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications
-----Original Message-----
From: Douglas Bagnall [mailto:douglas.bagnall at catalyst.net.nz]
Sent: Thursday, March 31, 2016 6:54 PM
To: Sreekanth Nadendla
Cc: MSSolve Case Email; cifs-protocol at lists.samba.org
Subject: Re: [REG:116031413826715] [cifs-protocol] Virtual List View with timestamps (syntax 2.5.5.11).
hi Sreekanth,
I am not able to reproduce the problem using LDP because it doesn't give me enough control over the VLV control (or at least, I can't find it and/or don't know the syntax).
I have narrowed down a test case with three users (get-aduser output):
DistinguishedName :
CN=vlvtest0,OU=vlv,DC=win2012r2,DC=douglasb,DC=wgtn,DC=cat-it,DC=co,DC=nz
Enabled : False
GivenName : a
msTSExpireDate4 : 1/1/1900 2:00:00 PM
Name : vlvtest0
ObjectClass : user
ObjectGUID : 5b0e5905-a28b-4433-97fd-3555bfeaa14e
SamAccountName : $25H600-98JP8L270V9A
SID : S-1-5-21-1006928648-2256676121-1790150887-214178
Surname :
UserPrincipalName :
DistinguishedName :
CN=vlvtest1,OU=vlv,DC=win2012r2,DC=douglasb,DC=wgtn,DC=cat-it,DC=co,DC=nz
Enabled : False
GivenName : b
msTSExpireDate4 : 1/1/1901 2:00:00 PM
Name : vlvtest1
ObjectClass : user
ObjectGUID : 74f695e9-5351-4837-8015-31c47cddd3cf
SamAccountName : $35H600-3TA35RNP01BM
SID : S-1-5-21-1006928648-2256676121-1790150887-214179
Surname :
UserPrincipalName :
DistinguishedName :
CN=vlvtest2,OU=vlv,DC=win2012r2,DC=douglasb,DC=wgtn,DC=cat-it,DC=co,DC=nz
Enabled : False
GivenName : c
msTSExpireDate4 : 1/1/1902 2:00:00 PM
Name : vlvtest2
ObjectClass : user
ObjectGUID : c7e6b84f-725e-4a66-b5ec-92a6a31117c6
SamAccountName : $45H600-A7ARQDME0VCC
SID : S-1-5-21-1006928648-2256676121-1790150887-214180
Surname :
UserPrincipalName :
In LDAP, those dates are respectively formatted as "19000101010000.0Z", "19010101010000.0Z", and "19020101010000.0Z".
I search in the base
"OU=vlv,DC=win2012r2,DC=douglasb,DC=wgtn,DC=cat-it,DC=co,DC=nz"
with no filter.
The server_sort control sorts on msTSExpireDate4, not reversed.
The VLV control is set to find items with msTSExpireDate4 >= 20770510223856.0Z, and the before and after counts are set to zero.
Both controls are marked critical.
When the VLV is set to >= 20770510223856.0Z, the first result
(vlvtest0 with msTSExpireDate4 == 19000101010000.0Z) is returned.
When the VLV is set to >= 20770510223855.0Z (one second earlier), no results are returned, as would be expected.
My tests are derived from the Samba test suite. I am happy to share them, but you will need a Samba environment to make them work.
We have checked in Wireshark that the requests and responses are indeed travelling over the wire.
cheers,
Douglas
> Hello Douglas, I've used the following parameters from within the built-in tool LDP (launched by LDP.exe). I could not reproduce the issue.
>> Ldap SearchFilter =
> "(&(objectClass=user)(msTSExpireDate2>=19991231211234.0Z))";
>> attribs Requested = { "cn", "msTSExpireDate4" };
>> Target value for the VLV search request
> string valueToSearch = "*";
>> SortKeys used "msTSExpireDate4"
>> Perhaps you could perform the Virtual List View search with sorting on msTSExpireDate4 the same way via LDP.exe and confirm if the issue reproduces at your end ?
>> If it does, then may be you can provide me the output of following powershell query on your test domain controller so that I can create user accounts similarly and set the values for msTSExpireDate4 to reproduce the issue.
>> get-aduser -filter * -properties msTSExpireDate4
>>> Regards,
> Sreekanth
> Nadendla30:19:02:01:00:02:01:00:81:11:32:30:37:37:30:35:31:30:32:32:33
> :38:35:36:2e:30:5a
> Microsoft Windows Open Specifications
>> -----Original Message-----
> From: Sreekanth Nadendla
> Sent: Wednesday, March 30, 2016 10:55 AM
> To: 'Douglas Bagnall'
> Cc: MSSolve Case Email
> Subject: RE: [REG:116031413826715] [cifs-protocol] Virtual List View with timestamps (syntax 2.5.5.11).
>> Hello Douglas, I have attempted to reproduce the issue but I am having difficulty in getting the same behavior. Initially I thought I would have to have the TS sessions and to avoid the setup, I've used other attributes of same data type but then I've realized that I could just create several users and simply set the values for msTSExpireDate4 for each of those users via user Properties tab in "Active Directory Users and Computers".
>>> If you could send me the following details from your test code, I would have almost identical setup that I can use to reproduce the issue.
>> ldapSearchFilter,
> valueToSearch,
> Contents of array of attribute names to be passed to the SearchRequest
> and the attribute passed to the sortRequest
>> If you run the following powershell command, it will show the
> datetimestamp values for each user that I can use in my test
> get-aduser -filter * -properties msTSExpireDate4
>> Also I'm just curious how you are testing this at your end. Are you using .Net VlvRequestControl (https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmsdn.microsoft.com%2fen-us%2flibrary%2fbb332056.aspx&data=01%7c01%7csrenaden%40microsoft.com%7cb2002bc5381b4b4752b908d359b7535b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=diLEACx8lcTd2c7Jt0s%2bC9kAMLr4utFq4fSFtWt4LQE%3d) ?
>>>> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
>> -----Original Message-----
> From: Sreekanth Nadendla
> Sent: Tuesday, March 15, 2016 10:03 AM
> To: Douglas Bagnall
> Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
> Subject: [REG:116031413826715] [cifs-protocol] Virtual List View with timestamps (syntax 2.5.5.11).
>> Hello Douglas, I will be assisting you with your question. I am currently researching the problem and will provide you with an update soon. Thank you for your patience.
>>> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
>>> -----Original Message-----
> From: Douglas Bagnall [mailto:douglas.bagnall at catalyst.net.nz]
> Sent: Monday, March 14, 2016 4:23 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol at lists.samba.org> Subject: Re: [cifs-protocol] Virtual List View with timestamps (syntax 2.5.5.11).
>> I wrote:
>> hi Dochelp,
>>>> When I search Windows 2012R2 Active Directory with VLV, I get a
>> strange result with "greater than or equal" queries on attributes
>> with syntax
>> 2.5.5.11 (for example msTSExpireDate4). If the search values is
>> greater than any of the attribute values, AD returns values from the
>> beginning of the sorted list rather than the empty list that it does
>> for other syntaxes.
>>>> Supposing there are three user objects with msTSExpireDate4 set to
>> '19000101010000.0Z', '19010101010000.0Z', and '19020101010000.0Z'
>> (the years are incrementing).
>> Sorry, I can't reproduce this with just 3 objects. It occurs with 30 objects, but I was trying to simplify for the sake of communication without actually testing the simplified version.
>> Douglas
>>> A VLV search with the following parameters:
>>>> attr: msTSExpireDate4
>> before: 0
>> after: 0
>> greater than or equal: 19991231211234.0Z
>>>> returns ['19000101010000.0Z'] -- that is the first value. A similar
>> search using an attribute with a different syntax will return an empty list.
>>>> I can't find any reference to this in the documentation, and it seems
>> to differ from the RFCs. Does this behaviour have a purpose?
>>>> cheers,
>> Douglas
>>>> _______________________________________________
>> cifs-protocol mailing list
>>cifs-protocol at lists.samba.org>>https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2flist>> s.samba.org%2fmailman%2flistinfo%2fcifs-protocol&data=01%7c01%7csrena
>> den%40microsoft.com%7cb2002bc5381b4b4752b908d359b7535b%7c72f988bf86f1
>> 41af91ab2d7cd011db47%7c1&sdata=pd44oigijBo9%2fwwRNoMVzsLMEyHcye3d1aR5
>> 7vn%2bBKM%3d
>>>>